Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Jun 2004 10:55:32 +0300
From:      quetzal@roks.biz
To:        Robert Downes <nullentropy@lineone.net>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   Re: Blocked outbound traffic - what is it?
Message-ID:  <20040619075532.GA690@roks.biz>
In-Reply-To: <40D355DA.3040707@lineone.net>
References:  <200406182122.2239016.6@btsoftware.com> <40D355DA.3040707@lineone.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Friday, 18 June 2004 at 21:51:38 +0100, Robert Downes wrote:
> 
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 332 deny tcp from any to any established in recv $pif
> 
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP's DHCP server as it's the only
> # authorized source to send this packet type.
> # Only necessary for cable or DSL configurations.
> # This rule is not needed for 'user ppp' type connection to
> # the public internet. This is the same IP address you captured
> # and used in the outbound section.
> #$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state
> 
> # Allow in standard www function because I have apache server
> #$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> 
> # Allow in secure FTP, Telnet, and SCP from public Internet
> #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
> 
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID & PW are passed over public
> # internet as clear text.
> # Delete this sample group if you do not have telnet server enabled.
> #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
> 
> # Allow in secure FTP, Telnet, and SCP from public Internet
> #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
> 
> # Allow in icmp responces
> $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif
> 
> # Reject & Log all unauthorized incoming connections from the public 
> internet
> $cmd 400 deny log all from any to any in recv $pif
> 
> # Reject & Log all unauthorized out going connections to the public internet
> $cmd 450 deny log all from any to any out xmit $pif
> 
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out xmit $pif
> $cmd 801 allow ip from any to any
> 
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> $cmd 999 deny log all from any to any
> 
> 
> 
> ################ End of IPFW rules file
> ###############################

Hi, Robert.
You dont need to worry about trojans. By logic of your rules, I think that
this packets are blocked becouse of the ending lifetime of some dynamic rules.
See net.inet.ip.fw.dyn_fin_lifetime and net.inet.ip.fw.dyn_rst_lifetime
in man ipfw(8) and you probably understand what i am talking about.
Also you can try tcpdump to trace what occurs during the final phase of tcp
session.

Best regards and sorry for my english
        Nikolay Pavlov.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040619075532.GA690>